A former Emory Healthcare physician placed patient files on a OneDrive account accessible to other University of Arizona employees.
Emory Healthcare has notified 24,000 patients that their information was accessible after a former physician placed patient files on a Microsoft cloud account overseen by an Arizona medical school.
The former Emory physician, who now works for the University of Arizona College of Medicine, obtained and placed patient files on a OneDrive account that was accessible to “individuals set up with a specific UA email account,” according to a notice posted by Emory. The Atlanta-based system was notified about the incident in October after the University of Arizona conducted an investigation.
The hospital added that “it has no reason to believe patient information was actually viewed by anyone outside of EHC other than former EHC physicians who now work for the UA, limited UA staff and those at UA investigating this incident.”
RELATED: HIPAA fine for sale of drive on eBay
The files were limited to patients that received radiology services at Emory between 2004 and 2014. The information stored on the cloud server included diagnostic and medical data, but no Social Security numbers or financial information.
Emory reported the incident to the Department of Health and Human Services on December 15 after mailing notices to the affected patients. The health system said its reviewing security measures and employee education programs to prevent future incidents.
Earlier this year, Emory reported its online appointment system had been hacked, impacting information for nearly 80,000 patients.
e-End operates a secure facility in Frederick, MD, specializes in destroying a wide variety of classified data and various controlled devices. This includes destruction of data containing hard drives, destruction of itar controlled devices, it equipment, and tactical military devices. They routinely destroy body armor that has reached the end of its certified period of use.